Authentication

OAuth, data access, billing, privacy, and publishing safety for Pixloop MCP.


Security model

Authentication

OAuth 2.0 authorization code with PKCE is supported for connector clients, including Codex via codex mcp login. Client credentials can be used for API-style testing with a Pixloop API key from Account Settings → API Keys.

Transport

Remote HTTPS MCP over Streamable HTTP. Authenticated tools are exposed through JSON-RPC methods such as initialize, tools/list, and tools/call.

Data access

Pixloop uses the permissions of the signed-in Pixloop account: brands, media, workflows, credits, and connected publishing accounts.

Publishing safety

Publishing tools support dry-run flows and should publish live posts only after explicit approval in the current conversation.

Billing

Generation consumes Pixloop credits according to the selected model, action, output duration, resolution, and provider cost.

Retention and ownership

Uploaded assets, generated creative, connected account data, and privacy rights are governed by the Pixloop Privacy Policy and Terms.

Discovery

Connector clients discover authorization metadata through the MCP server origin before making authenticated tool calls.

GET /.well-known/oauth-protected-resource
GET /.well-known/oauth-authorization-server